Twitter Moves to OAuth: The OAuthcalypse Is Nigh

Twitter is killing support for basic user authentication in third-party apps on Tuesday morning, the company says. Instead, Twitter will now require all third-party app developers to use OAuth for user authentication.

This is a planned move Twitter first announced in December, and the company has posted a help page on its developer site with some resources meant to ease the transition to OAuth.

The Twitter API team has been dialing down the number of requests an app can make using the basic authorization method. That number will hit zero at 8AM Pacific time Tuesday.

Some bloggers have given the event the catchy name, “OAuthcalypse” — a bit of a mouthful, but so is “user authentication protocol” — the implication being that when basic authentication is switched off, it will break old software and leave users in the dark. But since Twitter has given developers ample warning of the change, the switch will only lock out a small number of apps.

Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts.

In basic authentication, a website or app will say, “Hey, do you want to share whatever you’re doing here with your friends on Twitter? Give me your Twitter username and password and I’ll hook up your accounts.” By passing along your info, you’re giving that app or website unlimited access to everything in your Twitter account. Pretty dangerous, and not secure.

In OAuth authentication, the website or app will send you to Twitter where you sign yourself in, then Twitter will tell the website or app “Yeah, they are who they say they are.” The website or app only gains the ability to do certain things with your account — post, read, reply, search — while staying locked out from the more sensitive stuff.

This article originally appeared on Webmonkey.com, Wired’s site for all things web development, browsers, and web apps. For more from Webmonkey, follow the links at the end of the article.

The biggest advantage of OAuth is you don’t have to tell your Twitter password to anyone other than Twitter. Also, OAuth connections are token-based, so once a connection is established, you can change your Twitter password without having to re-enter it into the website or app.

The only disadvantage is that old apps that haven’t updated to use OAuth will stop working this week. All of the popular ones (Seesmic, Tweetdeck, etc.) have already updated.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.